def create_ef

def create_ef_role()

in dcv_session_manager_infrastructure/dcv_session_manager_infrastructure_stack.py [0:0]
58 lines of code
1 McCabe index (conditional complexity)

    def create_ef_role(self, ef_nodename_parameter, dcvsm_certificate, config, closing_hook, starting_hook, interactive_builtin_linux_desktop, interactive_builtin_windows_desktop):
        # Instances Role
        role_ef = iam.Role(
            self, "EF_ROLE", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
        # Allow console access with SSM
        role_ef.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name(
            "AmazonSSMManagedInstanceCore"))
        # Allow to the EF node to modify the SSM parameters
        role_ef.add_to_policy(
            iam.PolicyStatement(
                effect=iam.Effect.ALLOW,
                actions=[
                    "ssm:PutParameter",
                    "ssm:GetParameter"
                ],
                resources=[ef_nodename_parameter.parameter_arn,
                           dcvsm_certificate.parameter_arn],
            )
        )
        # Allow to the EF node to download the required files from S3
        role_ef.add_to_policy(
            iam.PolicyStatement(
                effect=iam.Effect.ALLOW,
                actions=[
                    "s3:GetObject"
                ],
                resources=["arn:aws:s3:::" + closing_hook.s3_bucket_name + "/" + closing_hook.s3_object_key,
                           "arn:aws:s3:::" + starting_hook.s3_bucket_name +
                           "/" + starting_hook.s3_object_key,
                           "arn:aws:s3:::" + interactive_builtin_linux_desktop.s3_bucket_name +
                           "/" + interactive_builtin_linux_desktop.s3_object_key,
                           "arn:aws:s3:::" + interactive_builtin_windows_desktop.s3_bucket_name + "/" + interactive_builtin_windows_desktop.s3_object_key],
            )
        )
        # Allow to retrieve the efadmin password
        role_ef.add_to_policy(
            iam.PolicyStatement(
                effect=iam.Effect.ALLOW,
                actions=[
                    "secretsmanager:GetSecretValue"
                ],
                resources=[config['arn_efadmin_password']],
            )
        )
        # Allow to describe the instances
        role_ef.add_to_policy(
            iam.PolicyStatement(
                effect=iam.Effect.ALLOW,
                actions=[
                    "ec2:DescribeInstances"
                ],
                resources=["*"],
            )
        )
        # Allow the EF node to modify the loadbalancer
        role_ef.add_to_policy(
            iam.PolicyStatement(
                effect=iam.Effect.ALLOW,
                actions=[
                    "elasticloadbalancing:*"
                ],
                resources=["*"],
            )
        )

        return role_ef